Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN
DMVPN KB ID 0000954 Problem A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each...
Implementing GDOI into DMVPN
GDOI into DMVPN KB ID 0000956 Problem Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site. One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak...
Enabling Cisco DNS Lookup (ASA and IOS)
Cisco DNS Lookup KB ID 0000969 Problem For the most part, devices are more concerned with IP and MAC addresses, but the devices do have the ability to translate those IP addresses using DNS. Solution : Cisco DNS Lookup How to Enable Cisco DNS Lookup on ASA As ASA is ‘My Thing’ I will start with that. 1. Connect to the ASA, log in and go to enable mode, and then global configuration mode. Type help or ‘?’ for...
Cisco Router – Configure NAT (NAT Overload)
NAT Overload KB ID 0000971 Problem NAT is the process of taking one or more IP addresses and translating it/them into different IP addresses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload. Solution : Nat Overload 1. Connect to the router, and got to enable mode, then global configuration mode. PetesRouter#configure...
Cisco ASA Domain Authentication and Trust (Allowing)
ASA Domain Authentication KB ID 0000973 Problem I cringed this morning when I was asked about this, last time I had to get a client to authenticate to a domain through a firewall, it was ‘entertaining’. The problem is Windows loves to use RPC, which likes to use random ports, so to make it work you either had to open TCP ports 49152 and 65535 (Yes I’m Serious). Or you had to registry hack all your domain controllers...
Cisco ASA – Remote VPN Client Internet Access
VPN Client Internet Access KB ID 0000977 Problem I have answered a lot of questions in forums, that are worded something like, “When I have a remote client connected to my firewall VPN they lose Internet access!” Traditionally that’s exactly what the ‘default’ remote VPN Internet access (IPSEC or AnyConnect) gave you. To ensure your remote VPN clients can access the Internet you have two options. The...
Cisco ASA – VPN Reverse Route Injection With OSPF
Reverse Route Injection KB ID 0000982 Problem Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group. In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To...
Cisco ASA Remote Management via VPN
ASA Remote Management KB ID 0000984 Problem It’s been ages since I has to do this, I usually just manage firewalls via SSH from outside. But I was out on a client site last week and needed to connect to to my ASA, so I simply connected in via AnyConnect; Note: The same procedure is applicable if you are an IPSEC VPN client, L2TP VPN client, or simply coming in over a site to site VPN link. And attempted to SSH, no joy, I tried...
Error 1722 There is a problem with this Windows Installer package.
Error 1722 KB ID 0000985 Problem Error 1722 is a pretty ‘generic’ windows installer package error. When attempting to install the AnyConnect client software this happened; Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action VACon_Install, location: C:Program FilesCiscoCisco AnyConnect...
Cisco ASA: Keep VPN Always Up
VPN Always UP KB ID 0001839 Problem This was information that was passed to me by a colleague (Thanks Ajay) this week. If you have a site to site VPN tunnel after a period of inactivity the tunnel will be torn down. In most cases when required it will simply be re-established, but what if you wanted it to be permanently up? I have had situations where only the ASA side of a tunnel can bring it up (usually because of misconfiguration...